From: Frank Brehm Date: Wed, 28 Oct 2020 07:02:52 +0000 (+0100) Subject: committing changes in /etc made by "/usr/bin/apt full-upgrade -y" X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=53d96b713d3d8d280b4f6218dc2f6f433b1439ba;p=config%2Fbruni%2Fetc-mint-new1.git committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: -gir1.2-gweather-3.0 3.36.0-1 amd64 +gir1.2-gweather-3.0 3.36.1-1~ubuntu20.04.1 amd64 -libgweather-3-16 3.36.0-1 amd64 -libgweather-common 3.36.0-1 all +libgweather-3-16 3.36.1-1~ubuntu20.04.1 amd64 +libgweather-common 3.36.1-1~ubuntu20.04.1 all -openjdk-11-jre 11.0.8+10-0ubuntu1~20.04 amd64 -openjdk-11-jre-headless 11.0.8+10-0ubuntu1~20.04 amd64 -openjdk-8-jdk 8u265-b01-0ubuntu2~20.04 amd64 -openjdk-8-jdk-headless 8u265-b01-0ubuntu2~20.04 amd64 -openjdk-8-jre 8u265-b01-0ubuntu2~20.04 amd64 -openjdk-8-jre-headless 8u265-b01-0ubuntu2~20.04 amd64 +openjdk-11-jre 11.0.9+11-0ubuntu1~20.04 amd64 +openjdk-11-jre-headless 11.0.9+11-0ubuntu1~20.04 amd64 +openjdk-8-jdk 8u272-b10-0ubuntu1~20.04 amd64 +openjdk-8-jdk-headless 8u272-b10-0ubuntu1~20.04 amd64 +openjdk-8-jre 8u272-b10-0ubuntu1~20.04 amd64 +openjdk-8-jre-headless 8u272-b10-0ubuntu1~20.04 amd64 --- diff --git a/java-11-openjdk/jfr/default.jfc b/java-11-openjdk/jfr/default.jfc index d55eeea..e76140c 100644 --- a/java-11-openjdk/jfr/default.jfc +++ b/java-11-openjdk/jfr/default.jfc @@ -420,6 +420,15 @@ false + + false + everyChunk + + + + false + + true false diff --git a/java-11-openjdk/jfr/profile.jfc b/java-11-openjdk/jfr/profile.jfc index 9023cd0..11ad365 100644 --- a/java-11-openjdk/jfr/profile.jfc +++ b/java-11-openjdk/jfr/profile.jfc @@ -420,6 +420,15 @@ false + + false + everyChunk + + + + false + + true true diff --git a/java-11-openjdk/security/blacklisted.certs b/java-11-openjdk/security/blacklisted.certs index e192c1a..beded9e 100644 --- a/java-11-openjdk/security/blacklisted.certs +++ b/java-11-openjdk/security/blacklisted.certs @@ -1,20 +1,39 @@ Algorithm=SHA-256 +03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2 +08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650 14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD +1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7 +1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D +2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4 31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 +3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0 +423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB 450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE 4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 +535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172 +568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C3611BFE19 +585CFE6B7436CBD4E732763A2137D7F49599BA9B1790E688FCEC799C58EB84A6 5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B +71CB00749B9130FB2707A2664BFF958D0FCC8E161D9674C7450BA0FC2BEAF9D3 76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF 9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC +9FADCE80D62A959F9930D748488C1E22E821F4E1E4A43584B848C2FC11E04D77 A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 +A90132CEA1D4F7185E4F688EFFD16F6AC14DFD78356A807599A5DABBEEF3333E B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD +C0D1F42B9F4BF7ACC045B7BB5D4805E10737F67B6310CE505248D543D0D5FE07 +D0156949F1381943442C6974E9B5B49EF441BB799EF20477B90A89C3F33620CE +D151962D954970501C60079258EBCFA38502E0A9F03CD640322B08C0A3117FE5 D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 +D6CEAE5D9E047FAF7D797858D229AC991AD44316D1E2A37A21926D763153593A DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE +E0E740E4B0F8B3548181FF75B5372FAF4C70B99EC995D694ED0FB91B03FF8D21 EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7 +FBB12938ABD86C125796EDF4162D291028890A7D6C0C1CCA75FD4B95EBFA7A1A FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index 788ee84..0c0a901 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -477,6 +477,22 @@ sun.security.krb5.disableReferrals=false # be overwritten with a System property (-Dsun.security.krb5.maxReferrals). sun.security.krb5.maxReferrals=5 +# +# This property contains a list of disabled EC Named Curves that can be included +# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this +# list in any of the disabledAlgorithms properties, add the property name as +# an entry. +jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ + secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ + sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ + sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ + sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ + X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ + X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ + X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ + brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 + # # Algorithm restrictions for certification path (CertPath) processing # @@ -491,7 +507,7 @@ sun.security.krb5.maxReferrals=5 # " DisabledAlgorithm { , DisabledAlgorithm } " # # DisabledAlgorithm: -# AlgorithmName [Constraint] { '&' Constraint } +# AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty # # AlgorithmName: # (see below) @@ -518,6 +534,9 @@ sun.security.krb5.maxReferrals=5 # UsageConstraint: # usage [TLSServer] [TLSClient] [SignedJAR] # +# IncludeProperty: +# include +# # The "AlgorithmName" is the standard algorithm name of the disabled # algorithm. See "Java Cryptography Architecture Standard Algorithm Name # Documentation" for information about Standard Algorithm Names. Matching @@ -530,6 +549,14 @@ sun.security.krb5.maxReferrals=5 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # will not disable algorithms related to "ECDSA". # +# The "IncludeProperty" allows a implementation-defined security property that +# can be included in the disabledAlgorithms properties. These properties are +# to help manage common actions easier across multiple disabledAlgorithm +# properties. +# There is one defined security property: jdk.disabled.NamedCurves +# See the property for more specific details. +# +# # A "Constraint" defines restrictions on the keys and/or certificates for # a specified AlgorithmName: # @@ -602,7 +629,28 @@ sun.security.krb5.maxReferrals=5 # # jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ - RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ + include jdk.disabled.namedCurves + +# +# Legacy algorithms for certification path (CertPath) processing and +# signed JAR files. +# +# In some environments, a certain algorithm or key length may be undesirable +# but is not yet disabled. +# +# Tools such as keytool and jarsigner may emit warnings when these legacy +# algorithms are used. See the man pages for those tools for more information. +# +# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and +# "jdk.jar.disabledAlgorithms" security properties. +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. + +jdk.security.legacyAlgorithms=SHA1, \ + RSA keySize < 2048, DSA keySize < 2048 # # Algorithm restrictions for signed JAR files @@ -646,7 +694,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ - DSA keySize < 1024 + DSA keySize < 1024, include jdk.disabled.namedCurves # # Algorithm restrictions for Secure Socket Layer/Transport Layer Security @@ -679,7 +727,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL + EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves # # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/java-11-openjdk/security/public_suffix_list.dat b/java-11-openjdk/security/public_suffix_list.dat index e8ef7a7..029aa3c 100644 Binary files a/java-11-openjdk/security/public_suffix_list.dat and b/java-11-openjdk/security/public_suffix_list.dat differ diff --git a/java-8-openjdk/security/blacklisted.certs b/java-8-openjdk/security/blacklisted.certs index 00a1dcf..beded9e 100644 --- a/java-8-openjdk/security/blacklisted.certs +++ b/java-8-openjdk/security/blacklisted.certs @@ -1,20 +1,39 @@ -Algorithm=SHA-256 -14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD -31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 -3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 -450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 -4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE -4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 -5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B -76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 -8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF -9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC -A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 -B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD -D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F -D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 -DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE -EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C -F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7 -FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD -FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B +Algorithm=SHA-256 +03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2 +08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650 +14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD +1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7 +1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D +2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4 +31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 +3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 +3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0 +423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB +450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 +4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE +4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 +535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172 +568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C3611BFE19 +585CFE6B7436CBD4E732763A2137D7F49599BA9B1790E688FCEC799C58EB84A6 +5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B +71CB00749B9130FB2707A2664BFF958D0FCC8E161D9674C7450BA0FC2BEAF9D3 +76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 +8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF +9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC +9FADCE80D62A959F9930D748488C1E22E821F4E1E4A43584B848C2FC11E04D77 +A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 +A90132CEA1D4F7185E4F688EFFD16F6AC14DFD78356A807599A5DABBEEF3333E +B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD +C0D1F42B9F4BF7ACC045B7BB5D4805E10737F67B6310CE505248D543D0D5FE07 +D0156949F1381943442C6974E9B5B49EF441BB799EF20477B90A89C3F33620CE +D151962D954970501C60079258EBCFA38502E0A9F03CD640322B08C0A3117FE5 +D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F +D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 +D6CEAE5D9E047FAF7D797858D229AC991AD44316D1E2A37A21926D763153593A +DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE +E0E740E4B0F8B3548181FF75B5372FAF4C70B99EC995D694ED0FB91B03FF8D21 +EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C +F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7 +FBB12938ABD86C125796EDF4162D291028890A7D6C0C1CCA75FD4B95EBFA7A1A +FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD +FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B diff --git a/java-8-openjdk/security/java.security b/java-8-openjdk/security/java.security index ad8393c..b766d2e 100644 --- a/java-8-openjdk/security/java.security +++ b/java-8-openjdk/security/java.security @@ -768,6 +768,40 @@ jdk.tls.legacyAlgorithms= \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} +# +# TLS key limits on symmetric cryptographic algorithms +# +# This security property sets limits on algorithms key usage in TLS 1.3. +# When the amount of data encrypted exceeds the algorithm value listed below, +# a KeyUpdate message will trigger a key change. This is for symmetric ciphers +# with TLS 1.3 only. +# +# The syntax for the property is described below: +# KeyLimits: +# " KeyLimit { , KeyLimit } " +# +# WeakKeyLimit: +# AlgorithmName Action Length +# +# AlgorithmName: +# A full algorithm transformation. +# +# Action: +# KeyUpdate +# +# Length: +# The amount of encrypted data in a session before the Action occurs +# This value may be an integer value in bytes, or as a power of two, 2^29. +# +# KeyUpdate: +# The TLS 1.3 KeyUpdate handshake process begins when the Length amount +# is fulfilled. +# +# Note: This property is currently used by OpenJDK's JSSE implementation. It +# is not guaranteed to be examined and used by other implementations. +# +jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37 + # Cryptographic Jurisdiction Policy defaults # # Import and export control rules on cryptographic software vary from @@ -1101,3 +1135,16 @@ jdk.security.caDistrustPolicies=SYMANTEC_TLS # security property value defined here. # #jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true